Bug#398073: specially crafted email headers makes kmail lock up in 15-30 minutes
Package: kmail
Version: 4:3.5.5.dfsg.1-1
Severity: serious
Tags: security patch
Justification: makes program unusable because of input from internet
When recieving a email with special formatted email headers, kmail locks
up in 15-30 minutes without responding. Killing is possible, but kmail
has a big chance of start parsing that email on next start of kmail.
It is in upstream bts at
http://bugs.kde.org/show_bug.cgi?id=137033
/Sune
-- System Information:
Debian Release: unstable/experimental
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (200, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.18-1-vserver-k7
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Versions of packages kmail depends on:
ii kdebase-kio-plugins 4:3.5.5a.dfsg.1-1 core I/O slaves for KDE
ii kdelibs4c2a 4:3.5.5a.dfsg.1-3 core libraries and binaries for al
ii kdepim-kio-plugins 4:3.5.5.dfsg.1-1 KDE pim I/O Slaves
ii libart-2.0-2 2.3.17-1 Library of functions for 2D graphi
ii libaudio2 1.8-2 The Network Audio System (NAS). (s
ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries
ii libfontconfig1 2.4.1-2 generic font configuration library
ii libfreetype6 2.2.1-5 FreeType 2 font engine, shared lib
ii libgcc1 1:4.1.1-19 GCC support library
ii libice6 1:1.0.1-2 X11 Inter-Client Exchange library
ii libidn11 0.6.5-1 GNU libidn library, implementation
ii libjpeg62 6b-13 The Independent JPEG Group's JPEG
ii libkcal2b 4:3.5.5.dfsg.1-1 KDE calendaring library
ii libkdepim1a 4:3.5.5.dfsg.1-1 KDE PIM library
ii libkleopatra1 4:3.5.5.dfsg.1-1 KDE GnuPG interface libraries
ii libkmime2 4:3.5.5.dfsg.1-1 KDE MIME interface library
ii libkpimidentities1 4:3.5.5.dfsg.1-1 KDE PIM user identity information
ii libksieve0 4:3.5.5.dfsg.1-1 KDE mail/news message filtering li
ii libmimelib1c2a 4:3.5.5.dfsg.1-1 KDE mime library
ii libpng12-0 1.2.8rel-7 PNG library - runtime
ii libqt3-mt 3:3.3.7-1 Qt GUI Library (Threaded runtime v
ii libsm6 1:1.0.1-3 X11 Session Management library
ii libstdc++6 4.1.1-19 The GNU Standard C++ Library v3
ii libx11-6 2:1.0.3-2 X11 client-side library
ii libxcursor1 1.1.7-4 X cursor management library
ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar
ii libxft2 2.1.8.2-8 FreeType-based font drawing librar
ii libxi6 1:1.0.1-3 X11 Input extension library
ii libxinerama1 1:1.0.1-4.1 X11 Xinerama extension library
ii libxrandr2 2:1.1.0.2-4 X11 RandR extension library
ii libxrender1 1:0.9.1-3 X Rendering Extension client libra
ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library
ii perl 5.8.8-6.1 Larry Wall's Practical Extraction
ii zlib1g 1:1.2.3-13 compression library - runtime
Versions of packages kmail recommends:
ii procmail 3.22-16 Versatile e-mail processor
-- no debconf information
Index: libemailfunctions/email.cpp
===================================================================
--- libemailfunctions/email.cpp (Revision 599840)
+++ libemailfunctions/email.cpp (Arbeitskopie)
@@ -111,7 +111,14 @@
displayName = "";
addrSpec = "";
comment = "";
-
+
+ // these strings are later copied to displayName resp. addrSpec resp. comment
+ // we don't operate directly on those variables, since as ByteArray deriverates
+ // they have a miserable performance on operator+
+ QString dName;
+ QString aSpec;
+ QString cmmt;
+
if ( address.isEmpty() )
return KPIM::AddressEmpty;
@@ -129,26 +136,26 @@
case TopLevel : {
switch ( *p ) {
case '"' : inQuotedString = !inQuotedString;
- displayName += *p;
+ dName += *p;
break;
case '(' : if ( !inQuotedString ) {
context = InComment;
commentLevel = 1;
}
else
- displayName += *p;
+ dName += *p;
break;
case '<' : if ( !inQuotedString ) {
context = InAngleAddress;
}
else
- displayName += *p;
+ dName += *p;
break;
case '\\' : // quoted character
- displayName += *p;
+ dName += *p;
++p; // skip the '\'
if ( *p )
- displayName += *p;
+ dName += *p;
else
return KPIM::UnexpectedEnd;
break;
@@ -159,57 +166,57 @@
return KPIM::UnexpectedComma;
}
else
- displayName += *p;
+ dName += *p;
break;
- default : displayName += *p;
+ default : dName += *p;
}
break;
}
case InComment : {
switch ( *p ) {
case '(' : ++commentLevel;
- comment += *p;
+ cmmt += *p;
break;
case ')' : --commentLevel;
if ( commentLevel == 0 ) {
context = TopLevel;
- comment += ' '; // separate the text of several comments
+ cmmt += ' '; // separate the text of several comments
}
else
- comment += *p;
+ cmmt += *p;
break;
case '\\' : // quoted character
- comment += *p;
+ cmmt += *p;
++p; // skip the '\'
if ( *p )
- comment += *p;
+ cmmt += *p;
else
return KPIM::UnexpectedEnd;
break;
- default : comment += *p;
+ default : cmmt += *p;
}
break;
}
case InAngleAddress : {
switch ( *p ) {
case '"' : inQuotedString = !inQuotedString;
- addrSpec += *p;
+ aSpec += *p;
break;
case '>' : if ( !inQuotedString ) {
context = TopLevel;
}
else
- addrSpec += *p;
+ aSpec += *p;
break;
case '\\' : // quoted character
- addrSpec += *p;
+ aSpec += *p;
++p; // skip the '\'
if ( *p )
- addrSpec += *p;
+ aSpec += *p;
else
return KPIM::UnexpectedEnd;
break;
- default : addrSpec += *p;
+ default : aSpec += *p;
}
break;
}
@@ -223,9 +230,10 @@
if ( context == InAngleAddress )
return KPIM::UnclosedAngleAddr;
- displayName = displayName.stripWhiteSpace();
- comment = comment.stripWhiteSpace();
- addrSpec = addrSpec.stripWhiteSpace();
+
+ displayName = dName.stripWhiteSpace().local8Bit();
+ comment = cmmt.stripWhiteSpace().local8Bit();
+ addrSpec = aSpec.stripWhiteSpace().local8Bit();
if ( addrSpec.isEmpty() ) {
if ( displayName.isEmpty() )
Reply to: